General Data Protection Regulation (GDPR)

What is it?

On 25th May 2018, the General Data Protection Regulation (GDPR) will replace the current Data Protection Act (DPA). The new regulation seeks to better protect individuals' rights around privacy and personal data, in view of the rapid changes in technology that have occurred since the DPA was enacted in 1998.

What does it mean for the University?

The GDPR will apply to any personal data that is collected, stored, or processed within the University. Among other things, it seeks to regulate excessive processing, and to provide the ability to correct or delete data when required.

The principles set out in the GDPR are similar to those in the DPA. There are, however, some key changes:

The Accountability Principle: The GDPR has more stringent expectations around accountability. This means organisations like the University will need to be able to show howwe comply, for example by documenting our decisions around the processing of personal data.

Penalties: The fines for non-compliance are much more severe, at up to a maximum of €20 million, or 4% of annual turnover. Non-compliance would also be damaging to our reputation.

The GDPR does not mean we can no longer collect the personal data we need for our core operations to function. It does mean, however, that we need clear and careful procedures around the personal data we hold, why we hold it, and how it is used. In some areas we may need to make changes to the ways in which we collect and handle personal data.

The University holds personal data for all staff and students. It is therefore in all of our interests to take data protection seriously. GDPR presents a significant opportunity to review and enhance our operational processes in support of compliance.